From IT Security to Cyber Security – Bits Destroying our Physical World

Attacks on IT systems are a daily nuisance.

Photo: Anni Hanén

Jukka Manner, 20.11.2014

We hear about denial of service attacks, leaked user accounts, passwords and credit card numbers, and how different organizations spy on each other, on companies and citizens of the world. These are not surprising news, ICT evolves and it is being used for various purposes, both legal and illegal. Yet, a much more serious and lethal crisis is just around the corner, we are just waiting for the first major events to really happen.

Our modern society is totally dependent on ICT. All our digital systems and services are becoming intertwined and connected to the Internet. Power grids are becoming intelligent, smart, and water delivery is digitally controlled with various remote access functions. Our road and air traffic is controlled with digital systems and communication networks. The production of goods, even power, is automated and handled with digital systems.

One only needs to use an Internet search engine for a few minutes to find tens, if not even hundreds, of reports of industrial control systems (ICS) that have serious security flaws and security holes built on purpose to ease their daily maintenance. We can easily find in the Internet also various exploits to use against those systems, to take them down from anywhere and at any time. Some of these vulnerabilities are simple enough that a schoolboy can hack the system and cause it to fail.

The scientific community had a good reminder of the scale of this problem when an MSc. thesis from the University of Cambridge used the Shodan search engine to find thousands of vulnerable industrial control systems in the world. This work was since then continued by many groups, including Project Shine, which has so far found 1 million industrial control systems on the Internet.

At the Aalto University, we tried to find out the scale and significance of the problem using Shodan at a national level. We found thousands of industrial control systems in Finland. Many of the targets had, for example, no secure login installed or the administrator password openly available. Some of the found systems were easily identified as misconfigured or otherwise vulnerable. But we could not go very deep in our study due to the fear of breaking the Finnish law and becoming criminals ourselves. Thus, we can relatively easily find targets but can not fully say which of these systems should be openly available and which should not; it would be safe to assume that most of the systems must not be there for the whole Internet community to connect to.

There seems to be the same naïve thinking in the industrial control systems community as the Internet community had about 20-25 years ago: who would want to harm us? Back in the early days of the Internet, people and users knew each other and the concept of security was somewhat of an afterthought; it isn’t anymore.

In the industrial control community, system vendors and their customers have neglected to take the security of their environments seriously; many have been on the right track, but so many are still lost or simply exercising the classic wishful thinking.

However, the kind of systems we see connected openly to the Internet even in Finland is frightening: power plants, water delivery, hospitals, jails, railway track control systems, gas stations, grocery stores, building automation, and so forth. The vast majority of these systems will only harm a small group of people, e.g., in one office building, but there are systems that if taken down will cause casualties either directly or in due time.

In addition to the networked targets, we have industrial and automation systems that are not connected to the Internet. A direct connection is not, however, mandatory, as was evident with the Stuxnet strike on the Iranian nuclear program; the break-in happened with a USB stick.

In our modern globally connected digital society, we do not have the option to simply hope for the best. We have to find all these vulnerable systems today, make an assessment of their use, and start fixing the problems. We have not yet seen a crisis caused by an attack on a major civilian infrastructure, but it is only a matter of time, when the first incident will be reported. Hopefully, governments and the industry at large have enough evidence to start acting now, before we see the first catastrophic event. A further challenge is that in the digital world new weapons and exploits are manufactured at the speed of light.

Jukka Manner
Professor, PhD.
Aalto University School of Electrical Engineering
Department of Communications and Networking

Get Monthly Insights to Your Email

Aalto Leaders’ Insight shares fresh stories, articles and views on different aspects of leadership, business and self-development. See a sample of Highlights of Aalto Leaders' Insight newsletter that is sent maximum twice per month to the subscribers. Easy to unsubscribe. See a sample.

My email address *

Your email is used for marketing purposes to keep you up to date with the latest business insights and information on programs that will help you enhance your career. By subscribing, you accept this. See our
Privacy Policy.

We use cookies on this site to improve user experience. By continuing to use our services, you accept our Privacy Policy.

Send Us Message

First and Last Name *

Email *

Phone number

+-

Yes,keep me updated about the program

My message *

Privacy Policy

About this Website and Privacy Policy

Main Points

Purpose for the processing of personal data

The purposes for the processing of personal data include: the management of customer relationships; the realization of the rights and obligations of the customer and the controller; the processing of personal data in accordance with the Personal Data Act with regards to online services; research activities; and, steering the advertising and/or direct marketing of the controller and/or its partners on the basis of personal data via the controller’s media channels and services without disclosing any personal data to an external party.

Content of the register for marketing

The register may contain the following information:

Name

E-mail address

Mobile phone number and/or other telephone number

Name of the organization and position in the organization

Address of the organization

Access log

Marketing automation and profiling

Aalto EE websites run a marketing automation system that is used to

improving general user experience of Aalto EE’s web services, e.g. highlighting services that are of highest importance to the visitor;

Aalto EE sets a cookie to learn how visitors consume content in all its digital services. Visitor’s person stays anonymous to Aalto EE until

1. Visitor fills in contact information on some webform

The user's personal information may be linked to the cookie when she reveals her person by filling in a webform, e.g. application/registration, request for information or newsletter subscription. The information given is stored in Aalto EE’s marketing or customer register.

2. Visitor arrives at the website from an email marketing message sent by Aalto EE

The user's personal information may be linked to the cookie when the user arrives at the website via an email marketing message sent by Aalto EE. The sources for e-mail marketing messages are Aalto EE’s marketing or customer register. A user whose cookie is linked to personal data can receive email marketing that is personalized based on her website visitor history.

Your email is used for marketing purposes to keep you up to date with the latest business insights and information on programs that will help you enhance your career. By subscribing, you accept this. See our Privacy Policy.